[MART] - Daily Diary #507 - REvil reemerges after 6 months of inactivity

CTAS-MAT ctas-mat at appgate.com
Tue May 10 20:23:21 UTC 2022 

Hello,
I hope everyone is doing well!

Below is the entry for today.

05/10/2022 - Diary entry #507

In our Daily Diaries #431 and #385, we covered the international effort to take down REvil (a.k.a Sodinobiki) cybercrime group. At the time, the operations ended up arresting 14 members of REvil in Russia, REvil platform was shut down, and the authorities provided Kaseya (recently attacked) with the decryptor. Now, after almost six months of inactivity, new samples sharing Sodinokibi's source code have been disclosed.

The new sample, submitted last month to VirusTotal, carries a timestamp from March 11th 2022. Among its changes it carries a new config, new mutex, and new campaign IDs. Although scary, the new version seems to be under development, as a bug on the encryption modules causes files to be renamed before being encrypted, causing the encryption to fail. The end of its execution is just files being renamed in the system, rendering the decryption ransom useless. It's not clear if this is the work of the same group, or another gang.

The return of the REvil group is probably related to the current Ukranian-Russia conflict. To arrest the members, the international effort including Russia and USA was necessary, but on April 7th Moscow published a statement disclosing they were no longer cooperating with the USA regarding the REvil hacker group activities. On April 19th, REvil's TOR domain, inactive since the shutdown, reappeared online, including new victims.

Kind Regards,



[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Manager, MART
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220510/85d1e83b/attachment.htm>

More information about the MART mailing list